The Model's Output Is Untrusted Input
The first principle, and the one most often missed, is that a language model's output must be treated as untrusted user input - because, by way of prompt injection, an attacker may be the one writing it. Whatever consumes that output inherits the risk, a point many AI agent developers miss. This means that all of the numerous injection vulnerabilities that our Web Application Assessment covers appear in a new guise.
If an AI's response is rendered in a browser, it is a cross-site scripting vector; if it is interpolated into a database query, an injection vector; if it is passed to a shell or an eval, a route to remote code execution; if it is used to build an outbound request, a path to server-side request forgery. An LLM bolted onto your application becomes a new, attacker-influenced source feeding all the classic sinks our Web Application Assessments and Server Security Assessments already examine - and it tends to feed them without any of the validation a developer would apply to ordinary user input. We pay particular attention to one elegant exfiltration channel that ties this leg back to the last: a model induced to emit a Markdown image or link pointing at an attacker's server, so that simply rendering the response leaks whatever sensitive data the attacker has hidden in the URL.
This family of attack vectors is the fifth-highest rated risk family for AI applications according to the OWASP 2025 Top 10 for LLMs, and addressing it is a critical element of AI security. The mitigations combine conventional web security measures against injection attacks with LLM-specific techniques like structured decoding, where logit-suppression constrains the tokens an LLM can generate to obey a formal grammar. We can advise on remediation strategies, as the novel and interdisciplinary nature of this risk makes it a particularly complex security engineering challenge.